Data Plane Development Kit
CVE-2020-14377
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attacker in a virtual machine to read significant amounts of host memory. The highest threat from this vulnerability is to data confidentiality and system availability.
AnalysisAI
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.
Technical ContextAI
This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attacker in a virtual machine to read significant amounts of host memory. The highest threat from this vulnerability is to data confidentiality and system availability. Affected products include: Dpdk Data Plane Development Kit, Canonical Ubuntu Linux, Opensuse Leap. Version information: before 18.11.10.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.
More in Data Plane Development Kit
View allA permissive list of allowed inputs flaw was found in DPDK. Rated high severity (CVSS 8.6), this vulnerability is remote
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Rated high severity (CVSS 8.8), this vulnerabil
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Rated high severity (CVSS 7.8). This Buffer Cop
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Rated high severity (CVSS 7.8).
A flaw was found in DPDK version 19.11 and above that allows a malicious guest to cause a segmentation fault of the vhos
A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4 and 19.x.x bef
A memory corruption issue was found in DPDK versions 17.05 and above. Rated medium severity (CVSS 6.7), this vulnerabili
A vulnerability was found in DPDK versions 18.05 and above. Rated medium severity (CVSS 6.7), this vulnerability is low
NVIDIA’s distribution of the Data Plane Development Kit (MLNX_DPDK) contains a vulnerability in the network stack, where
A flaw was found in dpdk. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. This Uncontroll
The DPDK vhost-user interface does not check to verify that all the requested guest physical range is mapped and contigu
A vulnerability was found in DPDK versions 19.11 and above. Rated medium severity (CVSS 4.4), this vulnerability is low
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today